Reviewed: https://review.openstack.org/371920
Committed:
https://git.openstack.org/cgit/openstack/manila/commit/?id=0d4438368fd769a0e6b83bfdaf1cb980f888c504
Submitter: Zuul
Branch: master
commit 0d4438368fd769a0e6b83bfdaf1cb980f888c504
Author: Iswarya_Vakati <v.iswa...@nectechnologies.in>
Date: Sat Sep 17 17:07:16 2016 +0530
Don't attempt to escalate manila-manage privileges
Remove code which allowed manila-manage to attempt to escalate
privileges so that configuration files can be read by users who
normally wouldn't have access, but do have sudo access.
Change-Id: Ie3bf9a81ee8d723cd8618643fa9d7382462aae42
Closes-Bug:#1611171
** Changed in: manila
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1611171
Title:
re-runs self via sudo
Status in Cinder:
Fix Released
Status in Designate:
Fix Released
Status in ec2-api:
Fix Released
Status in gce-api:
Fix Released
Status in Manila:
Fix Released
Status in masakari:
Fix Released
Status in OpenStack Compute (nova):
Fix Released
Status in OpenStack Compute (nova) newton series:
Fix Committed
Status in OpenStack Security Advisory:
Won't Fix
Status in Rally:
Fix Released
Bug description:
Hello, I'm looking through Designate source code to determine if is
appropriate to include in Ubuntu Main. This isn't a full security
audit.
This looks like trouble:
./designate/cmd/manage.py
def main():
CONF.register_cli_opt(category_opt)
try:
utils.read_config('designate', sys.argv)
logging.setup(CONF, 'designate')
except cfg.ConfigFilesNotFoundError:
cfgfile = CONF.config_file[-1] if CONF.config_file else None
if cfgfile and not os.access(cfgfile, os.R_OK):
st = os.stat(cfgfile)
print(_("Could not read %s. Re-running with sudo") % cfgfile)
try:
os.execvp('sudo', ['sudo', '-u', '#%s' % st.st_uid] +
sys.argv)
except Exception:
print(_('sudo failed, continuing as if nothing happened'))
print(_('Please re-run designate-manage as root.'))
sys.exit(2)
This is an interesting decision -- if the configuration file is _not_
readable by the user in question, give the executing user complete privileges
of the user that owns the unreadable file.
I'm not a fan of hiding privilege escalation / modifications in
programs -- if a user had recently used sudo and thus had the
authentication token already stored for their terminal, this 'hidden'
use of sudo may be unexpected and unwelcome, especially since it
appears that argv from the first call leaks through to the sudo call.
Is this intentional OpenStack style? Or unexpected for you guys too?
(Feel free to make this public at your convenience.)
Thanks
To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1611171/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
